Working to help protect customers from vulnerabilities in Adobe software. Contact us at PSIRT(at)adobe(dot)com.

Archive for November, 2008

Today’s Flash Player Security Bulletin discloses several new potential vulnerabilities, but please note that there is no new corresponding Flash Player update since the previous Security Bulletin. Adobe waited until an update to Adobe AIR, which embeds Flash Player, was available before disclosing this particular set of issues because the vulnerabilities in today’s Security Bulletin APSB08-22 have more potential impact for the AIR product than the previously disclosed Flash Player issues from Security Bulletins APSB08-18 and APSB08-20. If you haven’t already, please update to Flash Player 10.0.12.36 (or Flash Player 9.0.151.0).
There is also an AIR Security Bulletin today, which includes an update to resolve an AIR-specific security issue and the aforementioned Flash Player issues. We recommend everyone update to Adobe AIR 1.5.
Finally, we have published a new Security Advisory for Flash Media Server customers. Adobe recommends Flash Media Server customers enable SWF verification to avoid potential video stream capturing by third-party software.This posting is provided “AS IS” with no warranties and confers no rights.

Today we posted two Security Bulletins, APSB08-20 for Flash Player 9 and APSB08-21 for ColdFusion. With regards to the Flash Player bulletin, no action is required by customers who have already updated to Flash Player 10.0.12.36, the latest version that is now available here www.adobe.com/go/getflashplayer. The Flash Player 9.0.151.0 update we released today addresses issues previously reported in Security Bulletin APSB08-18 (posted on October 15), as well as other issues which we did not want to disclose until fixes were available in the Flash Player 9 update available today. If you can’t update to Flash Player 10, follow the instructions in APSB08-20 to update your version of Flash Player 9.
The ColdFusion hotfix included in Security Bulletin ASPB08-21 resolves a potential privilege escalation issue that is particularly applicable to ColdFusion servers in a shared hosting environment.This posting is provided “AS IS” with no warranties and confers no rights.